To secure a web application against SQL injection and cross-site scripting (XSS), follow these best practices:

SQL Injection Prevention:
1. Parameterized Queries: Utilize prepared statements with parameters to separate SQL code from data.
2. ORM (Object-Relational Mapping): Implement an ORM library to abstract and manage database queries securely.
3. Input Validation: Validate and sanitize all user inputs to ensure they conform to expected formats.
4. Least Privilege Principle: Limit database account privileges to only what is necessary for their functions.
5. Stored Procedures: Use stored procedures to encapsulate SQL logic and minimize injection risks.

XSS Prevention:
1. Output Encoding: Encode data before displaying it in the browser to prevent the execution of malicious scripts.
2. Content Security Policy (CSP): Implement CSP headers to restrict the sources from which scripts can be loaded.
3. Input Validation: Validate and sanitize user inputs, especially those rendered in the browser.
4. HTTPOnly and Secure Cookies: Use these attributes to prevent client-side access to cookies and ensure they are sent over secure channels.
5. Framework Security Features: Use the built-in security features of web frameworks to help mitigate XSS vulnerabilities.

By consistently applying these best practices, you can significantly reduce the risk of SQL injection and XSS in your web applications.